Applies ToWindows 7 Service Pack 1 Windows 7 Enterprise Windows 7 Home Premium Windows 7 Professional Windows 7 Ultimate Windows 7 Home Basic Windows 7 Enterprise Windows 7 Home Premium Windows 7 Professional Windows 7 Ultimate Windows 7 Home Basic Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Standard Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Standard Windows Server 2008 Service Pack 2 Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 Standard Windows Server 2008 Web Edition Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 Standard Windows Server 2008 Web Edition Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows XP Professional x64 Edition

INTRODUCTION

Microsoft has released security bulletin MS12-006. To view the complete security bulletin, go to one of the following Microsoft websites:

How to obtain help and support for this security update

Help installing updates: Support for Microsoft UpdateSecurity solutions for IT professionals: TechNet Security Troubleshooting and SupportHelp protect your computer that is running Windows from viruses and malware:Virus Solution and Security CenterLocal support according to your country: International Support

Fix it for me

Two Fix it solutions are available.

  • Fix it solution for Transport Layer Security (TLS) 1.1 in Internet Explorer: This solution enables TLS 1.1, which is not affected by this vulnerability, in Windows Internet Explorer. Most typical users should install this Fix it solution.

  • Fix it solution for TLS 1.1 on Windows-based servers: This solution enables TLS 1.1, which is not affected by the vulnerability.

The Fix it solutions that are described in this section are not intended as replacements for any security update. We recommend that you always install the latest security updates. However, we offer these Fix it solutions as workaround options for some scenarios. For more information about the workarounds, see security bulletin MS12-006:

http://technet.microsoft.com/security/bulletin/ms12-006 The bulletin provides more information about the issue and includes the following:

  • The scenarios in which you might apply or disable the workaround

  • Mitigating factors

  • Workarounds

  • Frequently asked questions

Specifically, to see this information, look for the Vulnerability Information section, and then expand the Workarounds paragraph under the SSL and TLS Protocols Vulnerability - CVE-2011-3389 paragraph.

Fix it solution for TLS 1.1 on Internet Explorer

To enable or disable this Fix it solution, click the Fix it button or link under the Enable or Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it Wizard.

Enable

Disable

Notes

  • These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.

  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem.

Fix it solution for TLS 1.1 on Windows-based servers

To enable or disable this Fix it solution, click the Fix it button or link under the Enable or Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it Wizard.

Enable

Disable

Notes

  • These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.

  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem.

Known issues with this security update

After you install this security update, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers. To temporarily disable or re-enable this security update, click the Fix it button or link under the Disable the security update or Re-enable the security update heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.

Disable the security update

Re-enable the security update

Notes

  • These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.

  • If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or a CD, and then you can run it on the computer that has the problem.

The following table shows the values that are applied by these Fix it solutions to the SendExtraRecord registry DWORD entry:

Heading

Value applied to SendExtraRecord entry

Disable the security update

2

Re-enable the security update

0

Note The SendExtraRecord setting will be included in future releases of Windows.

Known issues and additional information about this security update

The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link:

  • 2585542 MS12-006: Description of the security update for Webio, Winhttp, and schannel in Windows: January 10, 2012

  • 2638806 MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012

Registry information

Not recommended We do not recommend that you use the following procedure to disable this security update. However, we provide this procedure for scenarios in which you may be using applications that are incompatible with this security update, which enables split SSL records for all applications. Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756How to back up and restore the registry in Windows By default, this security update sets the Opt-in mode at the schannel level, because of application compatibility issues. To disable this security update for all applications system-wide, you must add a DWORD value that's named SendExtraRecord and that has a value of 2 to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNELTo add this schannel registry entry registry entry, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

  3. On the Edit menu, point to New, and then click DWORD Value.

  4. Type SendExtraRecord for the name of the DWORD value, and then press Enter.

  5. Right-click SendExtraRecord, and then click Modify.

  6. In the Value data box, type 2 to disable the split record in schannel, and then click OK.

  7. Exit Registry Editor.

This registry entry can have three values, and each value provides different modes of operation:

Reg-key Value

Description

0

By default, schannel is included in "Optin Mode." This means that this security update will work for all the callers who send the Secure flag to schannel. The "SendExtraRecord" schannel registry entry will not be created by the security package. Therefore, no schannel registry entry means the system is running this mode. If someone creates this registry key and set the value to 0, schannel will again run in this mode. This setting has the same effect as not creating this registry entry at all. Applications that send a Secure flag to schannel during session initialization will only exercise the fixed secure code path. For other applications, there will be no change in schannel behavior. This security update also fixes the application layers that are involved in web browsing by using Internet Explorer to send the Secure flag, in order to help secure the browser usage scenarios. Note In Windows Server 2003, security update 2638806 must be installed to help secure HTTP client applications that use WinHTTP APIs. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2638806 MS12-006: Description of the security update for Winhttp in Windows Server 2003 and Windows XP Professional x64 Edition: January 10, 2012

1

Setting the value to 1 means "enabled for all." This means callers do not have to send the flag, and the schannel will split all SSL records. With this value set, applications do not have to take any change. A customer who is very concerned about system security can help make their system safer by enabling this registry key.

2

Setting the value to 2 means "disabled for all." This means that the schannel will not split the records for any encryption call that the application makes. This mode does not honor the Secure flag that an application sends.

Based on internal testing, we found that you cannot feasibly set the registry value to 1 because it can break too many scenarios in an enterprise. Therefore, we discourage users from using it.

Known issues with enabling the SendExtraRecord registry entry

  • Setting the SendExtraRecord registry value to 1 enforces record-splitting in every call to encrypt data in schannel. This occurs regardless of whether the caller sent the Secure flag during session initialization.

  • Many applications that use schannel are written so that the receiver side assumes application data will be packed into a single packet. This occurs even though the application calls schannel for decryption. The applications ignore a flag that is set by schannel. The flag indicates to the application that there is more data to be decrypted and picked up by the receiver. This method does not follow the MSDN-prescribed method of using schannel. Because the security update enforces record-splitting, this breaks such applications.

  • Broken applications include Microsoft products and in-box components. The following are examples of scenarios that may be broken when the SendExtraRecord registry value is set to 1:

    • All SQL products, and applications that are built onto SQL.

    • Terminal Servers that have Network Level Authentication (NLA) turned on. By default, NLA is enabled in Windows Vista and later versions of Windows.

    • Some Routing Remote Access Service (RRAS) scenarios.

Setting the SendExtraRecord registry value to 1 enforces the secure record-splitting for all applications that use Windows TLS/SSL. However, this setting is likely to have application compatibility issues. Therefore, we recommend that customers configure TLS 1.1 and TLS 1.2 instead of using this registry setting. TLS 1.1 and TLS 1.2 are not vulnerable to this issue. If a user intends to use this registry setting, we recommend that they extensively test application compatibility testing before they implement it. Some common products that are known to be affected by this setting include Microsoft SQL products, Windows Terminal Server, and Windows Remote Access Server.

FAQ

Q: What can Microsoft do to help me fix my server-side application?A: Make sure that your application can handle the Fragmentation of SSL/TLS application records, as described in the following RFCs:

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.